[Bro] arista & cpacket experience
juan.caballero at imdea.org
Tue Oct 21 06:59:40 PDT 2014
Thanks a lot for your feedback. Indeed, we plan using a multi-core machine with one Bro worker per core ( plus 1-2 cores for other stuff) and distribute traffic to them either using an Endance card (already available), Myricom cards, or PF-RING. I wasn’t sure if our current machine would be enough that is why I was thinking to support multiple machines, but starting with a single machine sounds like a great idea. From the answers to my questions the Arista may be a cost-effective option for an initial deployment.
From: Vincent Stoffer [mailto:vstoffer at lbl.gov]
Sent: Tuesday, October 21, 2014 2:55 AM
To: Juan Caballero
Cc: bro at bro-ids.org
Subject: Re: [Bro] arista & cpacket experience
We use both the cPacket (cVue 240) and Arista (7150s) and both are quite capable of handling the traffic you suggest. In our older setups we use a custom cPacket device to do MAC re-writing from 10G input to 1G Bro worker nodes. As Mike mentioned, load-balancing traffic to workers on a multi-core box with specialized NIC driver is a more common and often more cost effective configuration these days. We're currently ramping up our 100G Bro cluster with a combination of Arista hardware and collection of Myricom 10G workers on FreeBSD. I would suggest that you use the device you choose to aggregate, filter and distribute your traffic to the different tools and then experiment with running a Bro cluster on a single box. I think with the traffic volumes you mention you should be able to monitor everything with a single 10G card and multiple worker threads.
One thing not to forget is that you'll need 1 port for each direction of "input" traffic on these devices to monitor full duplex taps, so make sure you take that into account when counting ports. The cVue is a very nice piece of hardware with great flexibility, however, the cost is not comparable with the Arista. The Arista feature set is quite good and they have been receptive to our feature requests. We're also very excited to be using Arista's API which lets us do dynamic shunting based on feedback from Bro. If you have specific questions, let me know and I'd be happy to answer them.
On Mon, Oct 20, 2014 at 3:31 AM, Juan Caballero <juan.caballero at imdea.org> wrote:
We would like to deploy a Bro Cluster at a 10 Gbps at about 35% peak usage.
We already have a splitter in place and are discussing options for a
front-end that can merge both traffic directions and load balance sessions
to Bro workers based on session hash and MAC rewriting. Ideally we would
like some equipment that supports multi-port mirroring so that we can add
other monitoring tools in addition to the Bro Cluster (e.g., Snort,
TimeMachine or other Storage).
Robin mentioned to me that people are using Arista and CPacket switches for
this kind of setup. After looking at their webpages the Arista 7150 seems
like a possibility for us (I see on the web page the San Diego SDSC and
Cornell use the larger 7500 series) and CPacket's cVu240NG may be another
(although there is less information about CPacket products online).
Does anyone have experience with these products? Do those models make sense
for the description above?
Any recommendations or things to consider for people without prior
experience in such setups?
Assistant Research Professor
IMDEA Software Institute
Bro mailing list
bro at bro-ids.org
Vincent Stoffer, Cyber Security Engineer
Cyber Security, Information Technology Division
Lawrence Berkeley National Laboratory
More information about the Bro